The APT News testing for LP: #2069237 all passed, and this is enough to call verification-done for all releases here.
Just in case, I have executed the CI test using the package from the archive and checked the failure exists, seeing it pass when using the package in proposed. ** Description changed: + [ Impact ] + + When the APT news available for a machine have a package+version + selector, the service needs access to dpkg/apt data to verify package + installation status. This is not permitted in the ubtunu_pro_apt_news + profile, and is triggering DENIED log entries. Those entries report the + service trying to execute /usr/bin/dpkg and accessing various + /var/lib/apt/lists/ files, which it should be able to do. + + To reproduce this, one can configure a simple http server and serve an + apt-news JSON using a package selector. The Pro Client test suite has an + example for how that is done in features/apt_messages.feature. Then, + remove the apt stamp and start the apt-news service, steps which are + described in the test case. By chance, at the time of this writing, + there are actual apt-news messages with package selectors for Jammy+, + which made identifying the issue a lot easier. + + The solution here is simply allow the service to access the files it + needs. + + [ Test Plan ] + + There is a test scenario in the Pro Client CI which was modified to catch those DENIED messages when they happen. + (APT news selectors). + - Run the test using the package in the archive, see it fail + - Run it using the version in proposed, see it pass + + This test will be executed as part of the verification of the main SRU + bug (LP: #2069237) for release 33.2. This test passing is considered + enough to mark this bug verification-done. + + [ Where problems could occur ] + + A syntax error in the apparmor profile would prevent it from loading, + and remove its protection entirely. To account for that, the package + build process runs an apparmor static check on the generated profiles, + and if that fails, the package build fails. It could still be + susceptible to errors at profile load-time regarding the running kernel, + which is likely different than the running kernel in the launchpad + builders. + + Another type of mistake that could happen is inadvertently opening up + the profile more than is needed - but the affected profile do need that + access to verify the status of installed packages in the system. It + requests only read permissions on the directories and execute + permissions on the dpkg binary. + + [ Other Info ] + + Upstream bug report: https://github.com/canonical/ubuntu-pro- + client/issues/3193 + + Unfortunately this wasn't caught by the extensive Pro test suite because + there was a gap on the test which targets the package selectors for apt + news, where the CI would run `pro refresh messages` to check for outputs + rather than actually calling the service. The test was updated to start + the service using `systemctl` instead. + + [ Original Description ] + With ubuntu-advantage-tools 32.3.1~22.04 on jammy (22.04.4 LTS), I see these errors in my logs once a day: Jul 8 17:43:08 yarn-labs kernel: [691764.876662] audit: type=1400 audit(1720431788.377:406): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/var/lib/apt/lists/" pid=503520 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.881552] audit: type=1400 audit(1720431788.381:407): apparmor="DENIED" operation="exec" profile="ubuntu_pro_apt_news" name="/usr/bin/dpkg" pid=503936 comm="python3" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.884141] audit: type=1400 audit(1720431788.385:408): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.884577] audit: type=1400 audit(1720431788.385:409): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Z4ikhX" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.885759] audit: type=1400 audit(1720431788.385:410): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.885873] audit: type=1400 audit(1720431788.385:411): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.Awmdfp" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.886077] audit: type=1400 audit(1720431788.385:412): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.889614] audit: type=1400 audit(1720431788.389:413): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.neWaMc" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.889781] audit: type=1400 audit(1720431788.389:414): apparmor="DENIED" operation="open" profile="ubuntu_pro_apt_news" name="/tmp/#24" pid=503520 comm="python3" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Jul 8 17:43:08 yarn-labs kernel: [691764.889816] audit: type=1400 audit(1720431788.389:415): apparmor="DENIED" operation="mknod" profile="ubuntu_pro_apt_news" name="/tmp/clearsigned.message.5aSBV3" pid=503520 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 ** Tags removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-jammy verification-needed-noble verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-focal verification-done-jammy verification-done-noble verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072489 Title: AppArmor denied errors for ubuntu_pro_apt_news profile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2072489/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
